From: "GoMi" <gomi@perezoso.net>
To: lartc@vger.kernel.org
Subject: [LARTC] Shaping p2p programs
Date: Wed, 05 Nov 2003 21:49:41 +0000 [thread overview]
Message-ID: <marc-lartc-106806946800410@msgid-missing> (raw)
Hi there, i am going to explain you my setup and post you my scripts in
case they are of any help to anybody :)
This mail is a little long, but i think the only way you can undestandme
is writing you my whole code..
1.- I have to ADSL connections connected through ehternet cards eth0 and
eth1 to the routers
-Both ADSL are 2Mbit downsteam / 300kbit upstream
-eth2 goes to my 200 users LAN.
2.- I am doing load balancing (that works great)
3.- I have a mail and web server redirected to eth0's ADSL.
4.- My QoS setup attached to eth0 and eth1
1 Qdisc for high-priority traffic (mark 1)
1 Qdisc for low-priority traffic (mark 2)
1 Qdisc for SYN,ACK traffic (mark 3)
1 Qdisc for ICMP traffic (mark 4)
1 Qdisc for Web-server traffic (mark 5)
->Scripts below
5.- Since i am doing load balancing i have a stateful firewall as
explained in Nano HOWTO
->Firewall scripts below
6.- Use the mangle table to mark packets and redirect them to the Qdisc
Let me explain my reasoning:
I want to mark interactive traffic like HTTP,SMTP,etc to
mark 1
Mark DNS traffic and MSN Messenger(dport 1863) to
interactive High priority mark 1
Mark p2p programs with the ipp2p module to mark p2p
programs to mark 2
(dport 1214 is Imesh)
In order to make sure ACKS and SYN traffic is going out
propperly i have an special qdisc
If any traffic is unmarked, mark it as low-priority
->Mangle setup below
---->PROBLEM:
The problem comes after having this setup running for an hour or so,
when interactive traffic has VERY HIGH latency, or nearly dIES.
Anybody having mor or less a similar setup, because i am driving mad
here!
Any suggestions are welcome :) Thank you very much!!!!!
My BOX is an athlon 900MHz with 1GB ram:
cat /proc/sys/net/ipv4/ip_conntrack_max
57336
txqueuelen on all eth cards is 100.
----> SCRIPTS
IPTABLES MANGLE Table
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 4
iptables -t mangle -A POSTROUTING -p udp --dport 53 -j MARK
--set-mark 1
iptables -t mangle -A POSTROUTING -p udp -j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 2
iptables -t mangle -A POSTROUTING -m string --string 'KazaaClient'
-j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -p tcp --dport 0:1024 -j MARK
--set-mark 1
iptables -t mangle -A POSTROUTING -p tcp --dport 1214 -j MARK
--set-mark 2
iptables -t mangle -A POSTROUTING -p tcp --dport 1863 -j MARK
--set-mark 1
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,ACK,RST SYN
-j MARK --set-mark 3
iptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags
SYN,RST,ACK ACK -j chkack
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j MARK
--set-mark 2
Script for QoS attached to eth0
#!/bin/bash
DEV=eth0
tc qdisc add dev ${DEV} handle 1: root htb default 10
tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit
######################################
## Interactive traffic
tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit
ceil 250kbit
tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw
flowid 1:10
#######################################
# Non Interactive Traffic
tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 50kbit
ceil 200kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10
depth 15
tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw
flowid 1:20
########################################
## SYN,ACK Traffic
tc clas add dev ${DEV} parent 1:1 classid 1:30 htb rate 45kbit
ceil 250kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw
flowid 1:30
########################################
## ICMP Traffic
tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit
quantum 1500
tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw
flowid 1:40
########################################
## Web-Server Traffic
tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit
ceil 200kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst
perturb 10 depth 15
tc filter add dev ${DEV} protocol ip parent 1:0 handle 5 fw
flowid 1:50
Script for QoS attached to eth1
#!/bin/bash
DEV=eth1
tc qdisc add dev ${DEV} handle 1: root htb default 10
tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit
########################################
## Interactive Traffic
tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit
ceil 250kbit
tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw
flowid 1:10
#######################################
# Non Interactive Traffic
tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 100kbit
ceil 200kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10
depth 15
tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw
flowid 1:20
########################################
## SYN,ACK Traffic
tc class add dev ${DEV} parent 1:1 classid 1:30 htb rate 50kbit
ceil 250kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw
flowid 1:30
#tc filter add dev ${DEV} parent 1:0 protocol ip u32 match ip
protocol 6 0xff match u8 0x05 0x0f at 0 match u8 0x34 0xff at 3 match u8
0x10 0xff at 33 flowid 1:30
########################################
## ICMP Traffic
tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit
quantum 1500
tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw
flowid 1:40
Firewall setup
####################################################
## Stateful Firewall
##
##
##
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A keep_state -j RETURN
iptables -t nat -N keep_state
iptables -t nat -A keep_state -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A keep_state -j RETURN
iptables -t nat -A PREROUTING -j keep_state
iptables -t nat -A POSTROUTING -j keep_state
iptables -t nat -A OUTPUT -j keep_state
iptables -t filter -A INPUT -j keep_state
iptables -t filter -A OUTPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t filter -A FORWARD -p tcp --dport 4661:4662 -j DROP
iptables -t filter -A FORWARD -p udp --dport 4661:4662 -j DROP
iptables -t filter -A FORWARD -p udp --dport 1663 -j DROP
iptables -t filter -A FORWARD -p udp --dport 4665 -j DROP
iptables -t filter -A FORWARD -p tcp --dport 4665 -j DROP
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
reply other threads:[~2003-11-05 21:49 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-106806946800410@msgid-missing \
--to=gomi@perezoso.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.